I am unable to navigate to the non-www version of my site (olostrieste.it) without getting a “this website is not secure” warning. After reading your documentation I found that:
It is possible that we will get a certificate for one name (for example, petsofnetlify.com ) and not for another (for example, www.petsofnetlify.com or some domain alias). In this case selecting Renew certificate should resolve the issue. If it doesn’t, please post in the Netlify Support Forums so our support engineers can repair the certificate.
I followed the required steps (renewing the SSL certificate) and not only this did not fix the issue, but now I am now unable to renew the certificate because I am getting a " Acme::Client::Error::RateLimited: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt". This even though I renewed the certificate only once, and looking at the last updated date it didn’t even renew successfully.
I am a bit lost on what to do next, hope that somebody can help. Thanks in advance.
Hey @coelmay, thanks for the super quick response.
I had an A record pointing to 75.2.60.5 until yesterday and I had the exact same issue. I removed it because I thought I did something wrong, and decided to clean-up before posting here.
However, if you think that’s the issue, I’ll re-add the record straight away and hope for the best. Thanks!
Hey @coelmay, DNS changes seem to have propagated (I did a quick check): I can see the A record pointing at 75.2.60.5. However, the problem remains, any suggestions?
olostrieste.it is loading now, but without SSL. The fix for this is hopefully as simple as pressing the “Renew Certificate” button, see: Site Settings > Domain Management > HTTPS e.g.
Hi, @NiccoloGranieri. The root cause in this case is an AAAA record pointing to an IP address that Netlify does not control for the apex domain. The DNS record that is cause this is the one below:
olostrieste.it. 14400 IN AAAA 2001:4b78:1001::1601
If that record is deleted, the SSL for the apex domain can be provisioned once the rate limit at Let’s Encrypt is lifted and the TTL (time to live) on the DNS record above has expired.
There is more information about the rate limits at Let’s Encrypt here:
Quoting that page:
There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently .
To summarize, if you delete the AAAA record above, you should be able to provision SSL about four hours later (because that is how long it will take for the cached record to expire).
After the four hours have passed after deleting the record above, the provisioning should work if you click the “Renew certificate” button found here:
At the moment, your domain is on hold due to rate limits by Lets Encrypt. These limits usually last for a week. So I believe now that you’ve got a correct DNS configuration, you should be able to get the SSL after a week.
